* Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179

- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
- Merge pull request #108 from rhatdan/rkt
- Merge pull request #109 from rhatdan/virt_sandbox
- Add new interface to define virt_sandbox_network domains
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
- Fix typo in drbd policy
- Remove declaration of empty booleans in virt policy.
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
- Additional rules to make rkt work in enforcing mode
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Allow ipsec to use pam. rhbz#1317988
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
- Allow setrans daemon to read /proc/meminfo.
- Merge pull request #107 from rhatdan/rkt-base
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
This commit is contained in:
Lukas Vrabec 2016-03-16 13:59:24 +01:00
parent cdb2ae4578
commit 3f0021e9f3
4 changed files with 376 additions and 261 deletions

Binary file not shown.

View File

@ -3495,7 +3495,7 @@ index 7590165..d81185e 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 33e0f8d..9502a72 100644
index 33e0f8d..b94f32f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -3518,16 +3518,7 @@ index 33e0f8d..9502a72 100644
/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -59,6 +61,8 @@ ifdef(`distro_redhat',`
/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
@@ -67,18 +71,33 @@ ifdef(`distro_redhat',`
@@ -67,18 +69,33 @@ ifdef(`distro_redhat',`
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -3561,7 +3552,7 @@ index 33e0f8d..9502a72 100644
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -101,8 +120,6 @@ ifdef(`distro_redhat',`
@@ -101,8 +118,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@ -3570,7 +3561,7 @@ index 33e0f8d..9502a72 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
@@ -116,6 +133,9 @@ ifdef(`distro_redhat',`
@@ -116,6 +131,9 @@ ifdef(`distro_redhat',`
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -3580,7 +3571,7 @@ index 33e0f8d..9502a72 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
@@ -135,10 +155,12 @@ ifdef(`distro_debian',`
@@ -135,10 +153,12 @@ ifdef(`distro_debian',`
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@ -3594,7 +3585,7 @@ index 33e0f8d..9502a72 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',`
@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@ -3608,7 +3599,7 @@ index 33e0f8d..9502a72 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',`
@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -3616,7 +3607,7 @@ index 33e0f8d..9502a72 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',`
@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@ -3676,7 +3667,7 @@ index 33e0f8d..9502a72 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',`
@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@ -3716,7 +3707,7 @@ index 33e0f8d..9502a72 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',`
@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@ -3762,7 +3753,7 @@ index 33e0f8d..9502a72 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@ -3777,7 +3768,7 @@ index 33e0f8d..9502a72 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@ -3802,7 +3793,7 @@ index 33e0f8d..9502a72 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
@@ -325,20 +401,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@ -3831,7 +3822,7 @@ index 33e0f8d..9502a72 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
@@ -346,6 +429,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@ -3839,7 +3830,7 @@ index 33e0f8d..9502a72 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
@@ -387,17 +473,34 @@ ifdef(`distro_suse', `
@@ -387,17 +471,34 @@ ifdef(`distro_suse', `
#
# /var
#
@ -18124,7 +18115,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..65a3b6d 100644
index e100d88..c652350 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -18135,7 +18126,7 @@ index e100d88..65a3b6d 100644
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## Domain to not audit.
+## </summary>
+## </param>
+#
@ -18755,7 +18746,7 @@ index e100d88..65a3b6d 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2972,5 +3284,630 @@ interface(`kernel_unconfined',`
@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@ -19309,6 +19300,25 @@ index e100d88..65a3b6d 100644
+
+########################################
+## <summary>
+## Dontaudit write usermodehelper state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_dontaudit_write_usermodehelper_state',`
+ gen_require(`
+ type usermodehelper_t;
+ ')
+
+ dontaudit $1 usermodehelper_t:file write;
+')
+
+########################################
+## <summary>
+## Relabel to usermodehelper context .
+## </summary>
+## <param name="domain">
@ -28312,7 +28322,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..23560f0 100644
index 8b40377..436b1e0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -28906,7 +28916,7 @@ index 8b40377..23560f0 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@ -28918,6 +28928,7 @@ index 8b40377..23560f0 100644
+term_use_all_terms(xdm_t)
+term_relabel_all_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
+term_getattr_virtio_console(xdm_t)
auth_domtrans_pam_console(xdm_t)
-auth_manage_pam_pid(xdm_t)
@ -28955,7 +28966,7 @@ index 8b40377..23560f0 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t)
@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -29125,7 +29136,7 @@ index 8b40377..23560f0 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',`
@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@ -29157,7 +29168,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
@@ -518,8 +893,36 @@ optional_policy(`
@@ -518,8 +894,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@ -29195,7 +29206,7 @@ index 8b40377..23560f0 100644
')
')
@@ -530,6 +933,20 @@ optional_policy(`
@@ -530,6 +934,20 @@ optional_policy(`
')
optional_policy(`
@ -29216,7 +29227,7 @@ index 8b40377..23560f0 100644
hostname_exec(xdm_t)
')
@@ -547,28 +964,78 @@ optional_policy(`
@@ -547,28 +965,78 @@ optional_policy(`
')
optional_policy(`
@ -29304,7 +29315,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
@@ -580,6 +1047,14 @@ optional_policy(`
@@ -580,6 +1048,14 @@ optional_policy(`
')
optional_policy(`
@ -29319,7 +29330,7 @@ index 8b40377..23560f0 100644
xfs_stream_connect(xdm_t)
')
@@ -594,7 +1069,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
@@ -594,7 +1070,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -29328,7 +29339,7 @@ index 8b40377..23560f0 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
@@ -604,8 +1079,11 @@ allow xserver_t input_xevent_t:x_event send;
@@ -604,8 +1080,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@ -29341,7 +29352,7 @@ index 8b40377..23560f0 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
@@ -618,8 +1096,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -618,8 +1097,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@ -29357,7 +29368,7 @@ index 8b40377..23560f0 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -627,6 +1112,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -627,6 +1113,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -29368,7 +29379,7 @@ index 8b40377..23560f0 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -638,25 +1127,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@ -29405,7 +29416,7 @@ index 8b40377..23560f0 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
@@ -677,23 +1173,28 @@ dev_rw_apm_bios(xserver_t)
@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@ -29437,7 +29448,7 @@ index 8b40377..23560f0 100644
# brought on by rhgb
files_search_mnt(xserver_t)
@@ -705,6 +1206,14 @@ fs_search_nfs(xserver_t)
@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@ -29452,7 +29463,7 @@ index 8b40377..23560f0 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
@@ -718,20 +1227,18 @@ init_getpgid(xserver_t)
@@ -718,20 +1228,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@ -29476,7 +29487,7 @@ index 8b40377..23560f0 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
@@ -739,8 +1246,6 @@ userdom_setattr_user_ttys(xserver_t)
@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@ -29485,7 +29496,7 @@ index 8b40377..23560f0 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
@@ -785,17 +1290,54 @@ optional_policy(`
@@ -785,17 +1291,54 @@ optional_policy(`
')
optional_policy(`
@ -29542,7 +29553,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
@@ -803,6 +1345,10 @@ optional_policy(`
@@ -803,6 +1346,10 @@ optional_policy(`
')
optional_policy(`
@ -29553,7 +29564,7 @@ index 8b40377..23560f0 100644
xfs_stream_connect(xserver_t)
')
@@ -818,18 +1364,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@ -29578,7 +29589,7 @@ index 8b40377..23560f0 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
@@ -842,26 +1387,21 @@ init_use_fds(xserver_t)
@@ -842,26 +1388,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@ -29613,7 +29624,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
@@ -912,7 +1452,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -29622,7 +29633,7 @@ index 8b40377..23560f0 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -966,11 +1506,31 @@ allow x_domain self:x_resource { read write };
@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -29654,7 +29665,7 @@ index 8b40377..23560f0 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
@@ -992,18 +1552,148 @@ tunable_policy(`! xserver_object_manager',`
@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@ -35595,7 +35606,7 @@ index 0d4c8d3..537aa42 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd04..324b3af 100644
index 312cd04..102b975 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -35702,7 +35713,7 @@ index 312cd04..324b3af 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t)
@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@ -35711,6 +35722,7 @@ index 312cd04..324b3af 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
+auth_use_pam(ipsec_t)
auth_use_nsswitch(ipsec_t)
+auth_read_home_content(ipsec_t)
@ -35736,7 +35748,7 @@ index 312cd04..324b3af 100644
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
@@ -182,19 +212,30 @@ optional_policy(`
@@ -182,19 +213,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@ -35771,7 +35783,7 @@ index 312cd04..324b3af 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -35787,7 +35799,7 @@ index 312cd04..324b3af 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@ -35804,7 +35816,7 @@ index 312cd04..324b3af 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@ -35813,7 +35825,7 @@ index 312cd04..324b3af 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@ -35821,7 +35833,7 @@ index 312cd04..324b3af 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@ -35833,7 +35845,7 @@ index 312cd04..324b3af 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t)
@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -35867,7 +35879,7 @@ index 312cd04..324b3af 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -322,6 +390,10 @@ optional_policy(`
@@ -322,6 +391,10 @@ optional_policy(`
')
optional_policy(`
@ -35878,7 +35890,7 @@ index 312cd04..324b3af 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -335,7 +407,7 @@ optional_policy(`
@@ -335,7 +408,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@ -35887,7 +35899,7 @@ index 312cd04..324b3af 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t)
@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@ -35907,7 +35919,7 @@ index 312cd04..324b3af 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t)
@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@ -35920,7 +35932,7 @@ index 312cd04..324b3af 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t)
@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@ -42470,7 +42482,7 @@ index efa9c27..536a514 100644
+ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
+')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..d5e6fb9 100644
index 1447687..0b1da4d 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -12,6 +12,7 @@ gen_require(`
@ -42481,7 +42493,15 @@ index 1447687..d5e6fb9 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t)
@@ -49,6 +50,7 @@ manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
+kernel_read_system_state(setrans_t)
kernel_read_kernel_sysctls(setrans_t)
kernel_read_proc_symlinks(setrans_t)
@@ -78,7 +80,6 @@ locallogin_dontaudit_use_fds(setrans_t)
logging_send_syslog_msg(setrans_t)
@ -45266,10 +45286,10 @@ index 0000000..21f7c14
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..f4783a5
index 0000000..605f160
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,904 @@
@@ -0,0 +1,909 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -45832,6 +45852,8 @@ index 0000000..f4783a5
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
+
+dev_write_kmsg(systemd_notify_t)
+
+domain_use_interactive_fds(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
@ -46105,10 +46127,13 @@ index 0000000..f4783a5
+#
+# systemd_gpt_generator domain
+#
+
+dev_read_sysfs(systemd_gpt_generator_t)
+dev_write_kmsg(systemd_gpt_generator_t)
+dev_read_nvme(systemd_gpt_generator_t)
+
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
+
+#######################################
+#
+# systemd_resolved domain

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 178%{?dist}
Release: 179%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -670,6 +670,29 @@ exit 0
%endif
%changelog
* Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
- Merge pull request #108 from rhatdan/rkt
- Merge pull request #109 from rhatdan/virt_sandbox
- Add new interface to define virt_sandbox_network domains
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
- Fix typo in drbd policy
- Remove declaration of empty booleans in virt policy.
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
- Additional rules to make rkt work in enforcing mode
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Allow ipsec to use pam. rhbz#1317988
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
- Allow setrans daemon to read /proc/meminfo.
- Merge pull request #107 from rhatdan/rkt-base
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
* Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
- Add support systemd-resolved.